QuickHeal (Malware Family)

QuickHeal

There is no description at this point.
References

2021-08-29 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka
Quarians, Turians and…QuickHeal
QuickHeal
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal
Yara Rules

[TLP:WHITE] win_quickheal_auto (20220808 | Detects win.quickheal.)
rule win_quickheal_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.quickheal."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b542424 03ca 03e9 8bcd c1e915 c1e50b 0bcd }
            // n = 7, score = 100
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   03ca                 | add                 ecx, edx
            //   03e9                 | add                 ebp, ecx
            //   8bcd                 | mov                 ecx, ebp
            //   c1e915               | shr                 ecx, 0x15
            //   c1e50b               | shl                 ebp, 0xb
            //   0bcd                 | or                  ecx, ebp

        $sequence_1 = { 83c724 83c624 8b442410 66ff442414 48 89442410 }
            // n = 6, score = 100
            //   83c724               | add                 edi, 0x24
            //   83c624               | add                 esi, 0x24
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   66ff442414           | inc                 word ptr [esp + 0x14]
            //   48                   | dec                 eax
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_2 = { 68???????? 52 e8???????? 8d44243c 8d4c2442 50 68???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   8d4c2442             | lea                 ecx, [esp + 0x42]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_3 = { 66898424b4000000 66898424b6000000 0fbfc0 03c6 ba18000000 }
            // n = 5, score = 100
            //   66898424b4000000     | mov                 word ptr [esp + 0xb4], ax
            //   66898424b6000000     | mov                 word ptr [esp + 0xb6], ax
            //   0fbfc0               | movsx               eax, ax
            //   03c6                 | add                 eax, esi
            //   ba18000000           | mov                 edx, 0x18

        $sequence_4 = { 03f3 03c6 8bf0 c1ee15 c1e00b 0bf0 8bc6 }
            // n = 7, score = 100
            //   03f3                 | add                 esi, ebx
            //   03c6                 | add                 eax, esi
            //   8bf0                 | mov                 esi, eax
            //   c1ee15               | shr                 esi, 0x15
            //   c1e00b               | shl                 eax, 0xb
            //   0bf0                 | or                  esi, eax
            //   8bc6                 | mov                 eax, esi

        $sequence_5 = { 7527 85ed 7523 8b4c2414 e8???????? 53 892d???????? }
            // n = 7, score = 100
            //   7527                 | jne                 0x29
            //   85ed                 | test                ebp, ebp
            //   7523                 | jne                 0x25
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   892d????????         |                     

        $sequence_6 = { eb07 888c1414010000 83c002 42 3bc6 72e0 889c1413010000 }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   888c1414010000       | mov                 byte ptr [esp + edx + 0x114], cl
            //   83c002               | add                 eax, 2
            //   42                   | inc                 edx
            //   3bc6                 | cmp                 eax, esi
            //   72e0                 | jb                  0xffffffe2
            //   889c1413010000       | mov                 byte ptr [esp + edx + 0x113], bl

        $sequence_7 = { 23e9 23de 0bdd 8b6c2428 03dd 8be9 8d9c1a9979825a }
            // n = 7, score = 100
            //   23e9                 | and                 ebp, ecx
            //   23de                 | and                 ebx, esi
            //   0bdd                 | or                  ebx, ebp
            //   8b6c2428             | mov                 ebp, dword ptr [esp + 0x28]
            //   03dd                 | add                 ebx, ebp
            //   8be9                 | mov                 ebp, ecx
            //   8d9c1a9979825a       | lea                 ebx, [edx + ebx + 0x5a827999]

        $sequence_8 = { 8d4c2408 e8???????? 8d4c2408 c68424d401000001 e8???????? 393d???????? 7438 }
            // n = 7, score = 100
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   e8????????           |                     
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   c68424d401000001     | mov                 byte ptr [esp + 0x1d4], 1
            //   e8????????           |                     
            //   393d????????         |                     
            //   7438                 | je                  0x3a

        $sequence_9 = { 6689bc2476020000 8b842476020000 8d8c2474020000 25ffff0000 83c010 50 51 }
            // n = 7, score = 100
            //   6689bc2476020000     | mov                 word ptr [esp + 0x276], di
            //   8b842476020000       | mov                 eax, dword ptr [esp + 0x276]
            //   8d8c2474020000       | lea                 ecx, [esp + 0x274]
            //   25ffff0000           | and                 eax, 0xffff
            //   83c010               | add                 eax, 0x10
            //   50                   | push                eax
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 553984
}
Download all Yara Rules
QuickHeal Propose Change

References

Yara Rules

QuickHeal
